New York State Cybersecurity Regulation

ATTENTION OPERATORS:

In March of 2017, New York State Department of Financial Services issued first-in-the-nation cybersecurity regulations. Banks, insurance companies and other financial services institutions regulated by DFS are required to have a cybersecurity program designed to protect the confidentiality, integrity, and availability of their information systems.

If you offer tenant insurance plans, you may have to submit a compliance form stating your cybersecurity program and written policy to help protect data and systems. Some companies may qualify for a limited exemption.

Exemption applies if:

you have fewer than 10 workers located in NY or responsible for your business;

you have less than $5 million in gross annual revenue in each of the last three fiscal years from NY business operations of us and our Affiliates;

you have less than $10 million in year-end total assets, including assets of all Affiliates; or

you do not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information.1

The New York Self Storage Association (NYSSA) highly recommends submitting a compliance or exemption form (if applicable), and contacting your insurance broker for assistance on the new regulations.

Visit the full list of regulations here. DFS has also issued FAQ's in conjunction with its notice to entities that have not filed Certification of Compliance that all licensees must complete.

Additional resources will be posted on NYSSA’s website (nyselfstorage.org/news).

Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)

March 1, 2017 - 23 NYCRR Part 500 becomes effective.

August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.

September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.

February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.

March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.

September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

1The requirements discussed in Sections 2-8 generally apply to all insurance licensees regardless of whether qualify for a limited exemption. The fourth exemption is broadest and qualifies an applicable licensees to an exemption from some of the requirements discussed in this memo. The NY cybersecurity requirements place additional requirements on the insurance licensees that do not qualify for one of the exemptions.